SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
-
Upload
andy-bochman -
Category
Business
-
view
3.120 -
download
0
description
Transcript of SGSB Webcast 4: Smart Grid Security Standards in Mid 2010
August 2010
Smart Grid Security
Standards & Compliance
Mid 2010 Update
Andy BochmanEditor : The Smart Grid Security Blog (SGSB)
Webcast Series Volume 4
2A. Bochman 2010
3A. Bochman 2010
What needs regulating
Non-standard standards process
Asking the impossible of utilities
What’s facing utilities security leaders
Legislation of note: GRID Act
NIST and NERC updates
What’s next in series
Overview
4A. Bochman 2010
What needs regulation
Anything in the grid system we can’t count on being secured for purely financial reasons
… Which for the grid and Smart Grid, includes, across all power regimes from generation through consumption:
– Control Systems (e.g. generation, transmission, distribution, consumption)
– Networks
– IT Systems
– Edge components (e.g. Smart Meters, Electric Vehicles, edge storage)
What is currently regulated: bulk electric power system (generation and transmission above 300 MWs) identified as “critical” by utilities themselves
But the grid is a highly interconnected, interdependent
FERC/NERC Sidebar
NERC – the watchdog group with the responsibility to develop and authority to enforce industry reliability standards. (www.nerc.com)
FERC – the regulatory body that governs interstate transmission of electricity, natural gas, and oil. (www.ferc.gov)
5A. Bochman 2010
Standards developments should be slow and boring, but that’s not the case with Smart Grid security standards … not in the least:
– NIST accelerated stds development
– NERC’s deferment to industry for (not) toughening the CIPS more or faster
– SGIG process weighted security as important but used ambiguous metrics
Question for you: all matters of economic and national security aside:
– If we paid you for every critical system in your inventory, how many would you find?
– If we required you to demonstrate compliance on every critical system in your inventory, how many would you find?
Highly non-standard Standards process
6A. Bochman 2010
IMHO: Asking the impossible of utilities
First, note that there’s often there’s no C-level voice for security
– Hadn’t been needed in the past
Security not a priority for rate relief
– What’s the ROI for customers … none, right?
– But money can’t be used as excuse for lack of NERC CIP compliance
Constantly changing regulatory landscape … moving targets
– Congress and FERC want more/tougher cyber security standards implemented faster (see GRID Act)
– NERC committees want to go slower
7A. Bochman 2010
So say you’re a utility security lead
Here’s what you face mid 2010:
– Deploying new technology that’s never been widely fielded (especially SGIG winners)
– Costly compliance reporting tasks that threaten to get much worse
– Just getting up to speed with compliance re: NERC CIPs 002-009 versions 1 & 2 and bracing for more waves of change (3 & 4 are coming, that’s for sure)
– Congress stirring things up with a GRID Act whose requirements cannot be met
– With business models in flux and looming disintermediation
– With aging equipment and work force. Can automation help? Enough?
– While maintining 99.99% reliability as per usual
8A. Bochman 2010
The the Grid Reliability and Infrastructure Defense (GRID) Act. Passed by House in June 2010, hasn’t reached Senate but will soon
Will begin to add distribution systems to the mix
Allows FERC to bypass the NERC standards setting process of Section 215 of the Federal Power Act (2003 update) and issue orders directly concerning:
1. Vulnerabilities not addressed by current NERC CIP standards which remain in effect until FERC approves a NERC standards which covers the vulnerability; and
2. Imminent cyber threats as determined by the President. FERC jurisdictional authority is extended to energy distribution facilities serving the Presidentially-designated top 100 defense facilities in all fifty United States and its territories.
3. FERC is also directed to address mitigation measures for geomagnetic events (including solar flares and non nuclear EMPs)
Legislation of note: the GRID Act - HR 5026
BTW: No one can comply with this!
9A. Bochman 2010
NIST Update
Smart Grid Interoperability Mandate
– Under the Energy Independence and Security Act (EISA) of 2007, the National Institute of Standards and Technology (NIST) has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…"
Personnel changes
– Former CSWG lead Annabelle Lee heading to FERC reliability team
– NIST security veteran Maryann Swanson now taking the NISTIR CSWG helm
NISTIR 7628 update
– NISTIR 7628 v1.0 is just about finalized following two rounds of drafts and comments
– The final version of NISTIR 7628 will address all the comments submitted to date and will include updated chapters of the document
– The new content will contain a security architecture and a section on cryptography and key management
– Question: to what use is all this good work put?
10A. Bochman 2010
NERC Update
More change coming to CIPS
– Version 3 goes live 1 October 2010 (small changes to v. 2)
– Version 4 (CIP 002-4) posted for comment through 7 September 2010 and goes live 1 July 2011 (big changes)
– Version 5 rumor: folding in 7628
Storm clouds gathering
– Ummm … look at this
– In short, NERC’s position as security policy setter and enforcer for the BES may not hold
– Related, no doubt, to Grid Act
Take away from Smart Grid Cyber Security Summit
– Utils say NERC CIPS have made them more secure than they would be w/o them
11A. Bochman 2010
NIST-referenced standards
NIST’s own list of Smart Grid-relevent security standards
– NERC CIP 002, 003-009
– IEEE 1686-2007, IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities
– Security Profile for Advanced Metering Infrastructure, v 1.0, Advanced Security Acceleration Project – Smart Grid, December 10, 2009
– UtilityAMI Home Area Network System Requirements Specification, 2008
– IEC 62351 1-8, Power System Control and Associated Communications – Data and Communication Security
NIST list of control systems standards– ANSI/ISA-99, Manufacturing and Control
Systems Security, Part 1: Concepts, Models and Terminology and Part 2: Establishing a Manufacturing and Control Systems Security Program
– NIST Special Publication (SP) 800-53, Revision 3, Recommended Security Controls for Federal Information Systems, August 2009
– NIST SP 800-82, DRAFT Guide to Industrial Control Systems (ICS) Security,Sept. 2008
– Cyber Security Procurement Language for Control Systems, Version 1.8,Department of Homeland Security, National Cyber Security Division, February 2008
– Catalog of Control Systems Security: Recommendations for Standards Developers, Department of Homeland Security, 2009
– ISA SP100, Wireless Standards
12A. Bochman 2010
What’s next in the SGSB series
September– Securing the Soft Grid – ensuring adequate security for the key applications and other
software from which the Smart Grid is being constructed
October– Securing AMI Systems – looking at current and future security issues for Smart Meters and
the old and new infrastructure that supports them
November– Smart Grid Security and Privacy from the Customers’ Point of View – putting ourselves in
the customers’ shoes on these issues
December– Understanding and Empowering a Smart Grid CSO – these guys have a heck of a lot on
their plates and we’re all counting on them doing well. Here’s how you can help.
Already covered:
•Intro to SG Sec
•SG Data Sec
•SG IT Security
13A. Bochman 2010
Lastly: new look for SGSB
Your reward for making it this far